Authority management apparatus authority management system and authority management method

ABSTRACT

An authority management apparatus configured to communicate with an external apparatus having one or more functions includes a management unit configured to manage authority information indicating an authority concerning use of the one or more functions of the external apparatus with respect to a particular user, an updating unit configured to, based on permission information for permitting a second user different from a first user to use a function of the external apparatus that the first user can execute, update the authority information concerning the second user, and a sending unit configured to send the authority information updated by the updating unit to the external apparatus to be used by the second user.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to an authority management apparatus, anauthority management system, and an authority management method.

2. Description of the Related Art

In a business scene, an upper management person often requests asubordinate worker or his secretary to perform processing, such ascopying, printing, and facsimile transmission, in substitution for him.

In this regard, in order to perform such substitute processing with asystem that centrally manages an authority to access an officeappliance, such as an image forming apparatus (i.e., a printer and adigital multifunction peripheral (MFP)), it is necessary that the personrequested to perform the substitute processing temporarily perform thesubstitute processing on an authority of the requesting person.

Focusing on substitution of print processing, typically, a requestingperson previously performs hold printing (hold job) and notifies apassword for resuming the held processing to a requestee. In holdprinting, when an image forming apparatus receives print data from anexternal apparatus, the image forming apparatus does not immediatelyprint the received print data. The image forming apparatus stores thereceived print data in a storage device included therein. When a usergenerates an instruction for printing the stored print data, the imageforming apparatus prints the stored print data. A password is associatedwith print data. The image forming apparatus prints the stored printdata only when a correct password is input together with the printinstruction.

In addition, focusing on performing processing on other person'sauthority higher than the authority of a requestee, Japanese PatentApplication Laid-Open No. 2004-166241 discusses a method for controllingprocessing with a security policy describing a rule for handling adocument.

Typically in hold printing, even if a requester loses the authority toaccess the requested job, for example due to a change in office orretirement after having requested a print job to a requestee, therequestee can resume the requested print job as long as the requesteehas already received the password to the job. That is, an access rightcannot be always managed in the above-described case although accessrights are centrally managed.

Furthermore, Japanese Patent Application Laid-Open No. 2004-166241discusses a method using pull printing, in which data to be processedand processing conditions for the data are stored. With this method,once a security policy or a processing condition is set for data to beprocessed, a change in setting of an access right cannot be reflected inprocessing the data.

In either of the above-described cases, if a requester loses anauthority after completing an operation for substitute processing, arequestee can perform the substitute processing, which may causedistribution of confidential information.

SUMMARY OF THE INVENTION

The present invention is directed to an authority management apparatusand an authority management system capable of reducing risk ofdistribution of data by a person performing substitute processing.

According to an aspect of the present invention, an authority managementapparatus configured to communicate with an external apparatus havingone or more functions includes a management unit configured to manageauthority information indicating an authority concerning use of the oneor more functions of the external apparatus with respect to a particularuser, an updating unit configured to, based on permission informationfor permitting a second user different from a first user to use afunction of the external apparatus that the first user can execute,update the authority information concerning the second user, and asending unit configured to send the authority information updated by theupdating unit to the external apparatus to be used by the second user.

Further features and aspects of the present invention will becomeapparent from the following detailed description of exemplaryembodiments with reference to the attached drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute apart of the specification, illustrate exemplary embodiments, features,and aspects of the invention and, together with the description, serveto explain the principle of the invention.

FIG. 1 illustrates an exemplary configuration of an informationprocessing system according to an exemplary embodiment of the presentinvention.

FIG. 2 illustrates an exemplary hardware configuration of a generalinformation processing apparatus that can implement a mappinginformation management apparatus according to an exemplary embodiment ofthe present invention.

FIG. 3 illustrates an example of association information stored in anassociation information storage unit illustrated in FIG. 1 according toan exemplary embodiment of the present invention.

FIG. 4 is a flow chart illustrating processing for generating theassociation information requested from an authority transfer sourceprincipal according to an exemplary embodiment of the present invention.

FIG. 5 is a flow chart illustrating processing for inquiring, updating,and deleting the association information performed by a principalaccording to an exemplary embodiment of the present invention.

FIG. 6 illustrates a sequence for substitute processing performed by auser B for a user A according to an exemplary embodiment of the presentinvention.

FIG. 7 illustrates an example of text of a message used in notifyingdetails of the association information to an authority transferdestination principal when the association information is updated,according to an exemplary embodiment of the present invention.

FIG. 8 illustrates a memory map of a compact disk-read-only memory(CD-ROM), which is an example of a storage medium according to anexemplary embodiment of the present invention.

FIG. 9 illustrates an exemplary hardware configuration of an imageforming apparatus according to an exemplary embodiment of the presentinvention.

FIG. 10 illustrates an example of authority information about anarbitrary user principal according to an exemplary embodiment of thepresent invention.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Various exemplary embodiments, features, and aspects of the presentinvention will now herein be described in detail with reference to thedrawings. It is to be noted that the relative arrangement of thecomponents, the numerical expressions, and numerical values set forth inthese embodiments are not intended to limit the scope of the presentinvention unless it is specifically stated otherwise.

In the following description, a term “principal” collectively refers toa user using the system according to exemplary embodiments of thepresent invention and a group (division) of arbitrarily sectionalizedusers.

FIG. 1 illustrates an exemplary configuration of an informationprocessing system according to an exemplary embodiment of the presentinvention. The information processing system illustrated in FIG. 1includes a mapping information management apparatus 100, an informationprocessing terminal 110, an image forming apparatus 130, and an accessright information management apparatus 120, which are in communicationwith one another via a communication path 140.

A plurality of information processing terminals 110 and image formingapparatuses 130 can be connected to the communication path 140. Theinformation processing terminal 110 is mainly assumed to be regularlyused by a user to perform an arbitrary operation.

The image forming apparatus 130 can be an MFP having a plurality offunctions, such as a copy function, a print function, an imagecommunication function, and a storage function, and an apparatus havinga single function, such as a printer or a facsimile apparatus. Theaccess right information management apparatus 120 centrally managesaccess right information concerning use of the image forming apparatus130 with respect to each principal.

In using the image forming apparatus 130, a user previously registershimself as a user principal on the access right information managementapparatus 120 to provide the principal with an authority to use theimage forming apparatus 130. In the present embodiment, an authority canbe provided to the user principal or to a group principal to which theuser principal belongs.

An access right is controlled as described below according to theauthority to use the image forming apparatus 130 provided as describedabove. First, the user enters an identification (ID) for identifying aprincipal on the image forming apparatus 130. The image formingapparatus 130 identifies a principal according to the entered ID. In thepresent exemplary embodiment, a general user authentication method canbe used.

Then, the image forming apparatus 130 sends information for identifyingthe principal to the access right information management apparatus 120.The access right information management apparatus 120 generatesinformation for controlling the image forming apparatus 130 according tothe previously registered use authority information for the principalbased on the information received from the image forming apparatus 130.The control information generated can be, for example, data having astructure illustrated in FIG. 10.

FIG. 10 illustrates an example of authority information concerning aspecific user principal. Referring to FIG. 10, a user principal usingthe image forming apparatus 130 can be uniquely identified according toan element “<Username>”.

In addition, an authority to use the functions of the image formingapparatus 130 that the user principal can use and an authority to accessa BOX (a storage area in a storage device of the image forming apparatus130) are described below the element “<Username>”. In the exampleillustrated in FIG. 10, a user identified as “Bob” is provided withauthorities to use a “SEND” function, a “PRINT” function, and a “BOX”function of the image forming apparatus 130.

The user named “Bob” has a full access (unrestricted access) to a BOXidentified with a BOX device ID “1003”. With respect to a box identifiedwith a BOX device ID “1001” and an ID “044”, the user “Bob” has anauthority to read only. The BOX function utilizing a BOX will bedescribed below.

The image forming apparatus 130 interprets the control informationgenerated by the access right information management apparatus 120 andcontrols the processing requested by the user according to the controlinformation.

In the present embodiment, objects of authority transfer, which will bedescribed below, include an authority to use a function that isdescribed as an element “<Function>” in FIG. 10 and an authority toaccess data stored in a BOX described as an element “<BOX>” in FIG. 10.

In the present embodiment, the authority information described in thecontrol information includes information about an authority to use thefunctions of the image forming apparatus 130 and an access right to thedata stored in a BOX. However, any authority information can be used aslong as the information can be managed by the access right informationmanagement apparatus 120. Furthermore, different information equivalentto the above-described authority information can be used.

In this case, it is necessary to modify an authority information schemaillustrated in FIG. 10 so that the different information is included inthe authority information. The control information illustrated in FIG.10 is also referred to as an “access control ticket” (ACT).

The mapping information management apparatus 100 can be implemented byhardware, or can be implemented by software on a general informationprocessing apparatus, such as a personal computer (PC) or a servercomputer, as will be described below with reference to FIG. 2.

Furthermore, in the case where the mapping information managementapparatus 100 is to be implemented by hardware, the mapping informationmanagement apparatus 100 can be implemented by hardware including asingle apparatus or by hardware including a plurality of arbitraryapparatuses operating on single hardware. For example, the mappinginformation management apparatus 100 and the access right informationmanagement apparatus 120 can be integrated in the same server apparatus.

The mapping information management apparatus 100 includes an associationinformation updating unit 101, an association information inquiry unit102, an association information storage unit 103, a user interfacedisplay unit 104, and a communication unit 105.

The association information updating unit 101 updates information formutually associating an authority transfer source principal, anauthority transfer destination principal, and processing that is anobject of authority transfer, according to a user operation via theinformation processing terminal 110 and a user interface of the mappinginformation management apparatus 100 itself.

The mapping information management apparatus 100 enables transfer of atleast one part of an authority of a specific principal, of authorityinformation managed by the access right information management apparatus120, to another principal.

That is, the association information managed by the mapping informationmanagement apparatus 100 permits another principal to use the functionof the image forming apparatus 130 that can be used by a specificprincipal.

In the authority transfer according to the present embodiment, in onecase, no access right remains for an authority transfer source principalafter an access right of the authority transfer source principal istransferred to an authority transfer destination principal. In anothercase, an access right remains for an authority transfer source principalafter an access right of the authority transfer source principal istransferred to an authority transfer destination principal.

At the time when the access right information management apparatus 120generates control information for the image forming apparatus 130, theassociation information inquiry unit 102 generates an inquiry as toassociation information according to a request from the access rightinformation management apparatus 120. The “association information”refers to information about an authority to be transferred to anauthority transfer destination principal from an authority transfersource principal. The “association information” will be described indetail below.

After the inquiry has been issued, the access right informationmanagement apparatus 120 updates the use control information of anauthority transfer destination principal with the use controlinformation of an authority transfer source principal. Then, the accessright information management apparatus 120 generates control informationfor the image forming apparatus 130 with respect to the authoritytransfer destination principal.

Thus, the access right information management apparatus 120 can generatedynamic and appropriate information for controlling the image formingapparatus 130 without rewriting the use control information with respectto principals that the access right information management apparatus 120manages.

The association information storage unit 103 stores associationinformation. The user interface display unit 104 functions as a userinterface of the association information updating unit 101 and theassociation information inquiry unit 102. The communication unit 105enables communication with the information processing terminal 110 andthe access right information management apparatus 120.

The exemplary structure of the mapping information management apparatus100 illustrated in FIG. 1 can be implemented by hardware, such asapplication specific integrated circuits (ASIC) or an field programmablegate array (FPGA). Furthermore, the exemplary structure of the mappinginformation management apparatus 100 illustrated in FIG. 1 can beimplemented by a combination of a general personal computer andsoftware.

FIG. 2 illustrates an exemplary hardware configuration of a generalinformation processing apparatus that can implement the mappinginformation management apparatus 100.

Referring to FIG. 2, an information processing apparatus 200 includes acentral processing unit (CPU) 201. The CPU 201 executes software storedon a read-only memory (ROM) 202 or a hard disk drive (HDD) 210. The CPU201 controls devices that are in communication with one another via asystem bus 213.

The HDD 210 is also used as an area for storing association information.A random access memory (RAM) 203 is used as a main memory and a workarea for the CPU 201. An external input controller (“Input Dev C” inFIG. 2) 205 controls input of an instruction via an input unit (“InputDev” in FIG. 2) 206, which includes a keyboard and a mouse of theinformation processing apparatus 200. A display controller (“Display C”in FIG. 2) 207 controls a display on a display module (“Display” in FIG.2) 208, which includes a liquid crystal display. A disk controller(“DKC” in FIG. 2) 209 controls the HDD 210.

A network interface card (NIC) 204 performs interactive datacommunication with another network device and a file server via anetwork 214 (equivalent to the communication path 140 in FIG. 1). Datatransmitted during processing for updating the association informationand processing for inquiring about the association information can betransmitted via the NIC 204.

The HDD 210 can be used as a temporary storage area for informationbeing processed. The information processing terminal 110 also has ahardware configuration such as the one illustrated in FIG. 2.

An exemplary configuration of the image forming apparatus 130 (FIG. 1)will now be described with reference to FIG. 9. Referring to FIG. 9, animage forming apparatus 900 includes a CPU 901. The CPU 901 executessoftware stored in a ROM 903 or an external memory 911. The CPU 901controls blocks that are in communication with one another via a systembus 904.

An image signal generated by the CPU 901 is output to a printing unit(image forming engine) 909 via a printing unit interface (I/F) 905. ARAM 902 is used as a main memory and a work area for the CPU 901. Anaccess to the external memory 911 is controlled by a memory controller(MC) 906. The external memory 911 stores, among other things, font data,an emulation program, and image data.

An operation unit 910 includes an operation switch and a light emittingdiode (LED) display device. A scanner unit I/F 907 corrects, processes,and edits image data received from a scanner unit 912. When the usergenerates an instruction for starting reading an image of a documentwith the operation unit 910, a document reading instruction is sent tothe scanner unit 912.

An NIC 908 performs interactive data communication with another networkdevice and a file server via a network 913 (equivalent to thecommunication path 140 in FIG. 1). Print image data and information forcontrolling use of the image forming apparatus 130 can be transmittedvia the NIC 908. The external memory 911 can be used as a temporarystorage area for information being processed.

The CPU 901 regulates traffic of data transmitted via the system bus904. The CPU 901 controls a data flow path as described below accordingto usage of the image forming apparatus 900.

Copy function: the operation unit 910 the scanner unit 912→the scannerunit I/F 907→the printing unit I/F 905→the printing unit 909.

Network printing function: the NIC 908→the printing unit I/F 905→theprinting unit 909.

Send function: the operation unit 910→the scanner unit 912→the scannerunit I/F 907→the NIC 908.

In the case where image data stored in the external memory 911 is usedinstead of a scan image, the scan processing operations (the scannerunit 912→the scanner unit I/F 907) are replaced with image data readingoperations (the external memory 911→the MC 906).

In the case where image data is stored in the external memory 911instead of performing print processing, the print processing operations(the printing unit I/F 905→the printing unit 909) are replaced withimage data storage operations (the MC 906→the external memory 911). Theabove-described function for reading and storing image data is hereinreferred to as a “BOX function”.

The functions of the image forming apparatus 130, such as the copyfunction, the network printing function, and the send function, can becontrolled as permission or inhibition of their execution according tothe above-described use control information. The control of access toimage data in the above-described BOX function (i.e., permission andinhibition of reading and storing image data) can be performed accordingto the use control information.

FIG. 3 illustrates an example of a form of storage of the associationinformation stored in the association information storage unit 103illustrated in FIG. 1. It is assumed that information is managed with arelational database in a database management system (DBMS).

In the present embodiment, the relational database can be stored in theHDD 210 illustrated in FIG. 2. Alternatively, the relational databasecan be stored on an apparatus that can communicate with the mappinginformation management apparatus 100 (FIG. 1) existing on thecommunication path 140 (FIG. 1).

In the present embodiment, as illustrated in FIG. 3, a database schemafor managing association information includes a table T300 and a tableF310. The table T300 manages a principal portion of the associationinformation. The table F310 is generated by normalizing informationabout processing performed by the image forming apparatus 130. The tableF310 is subordinate to the table T300.

The table T300 will be described below. An authority transfer sourceprincipal ID T301 is an item storing an identifier with which anauthority transfer source principal can be uniquely identified.

Here, it is necessary that the data stored in this item, namely, anauthority transfer source principal ID, is identical to the identifierused as an authority transfer source principal ID in the access rightinformation management apparatus 120 illustrated in FIG. 1.

A processing ID T302 is an item storing a processing ID for uniquelyidentifying a content of processing by the image forming apparatus 130.The content of processing by the image forming apparatus 130 is managedby the table F310. The table F310 will be described in detail below.

An authority transfer destination principal ID T303 is an item storingan identifier that enables uniquely identifying an authority transferdestination principal designated with the authority transfer sourceprincipal ID T301.

As in the case of the authority transfer source principal ID T301, it isnecessary that the data stored in the authority transfer destinationprincipal ID field T303 be identical to the identifier used in theaccess right information management apparatus 120 illustrated in FIG. 1.

An expiration date T304 is an item storing a date until which theauthority transfer is valid. In the case where no expiration date isprovided (that is, in the case where the authority is semipermanentlytransferred), a symbol or a word indicating so (“unlimited” in FIG. 3)or a null value is stored.

After the lapse of the expiration date, the mapping informationmanagement apparatus 100 automatically deletes the associationinformation. Setting an appropriate expiration date facilitatesinhibiting the authority transfer destination principal from performingthe requested processing without limitation.

By providing an expiration date as described above, the security in thecase of requesting another person to perform processing using the imageforming apparatus 130 can be improved.

In the case where a record for the authority transfer is to be nullifiedupon lapse of the expiration date T304 or by performing informationupdating processing requested from the association information updatingunit 101 (FIG. 1), a deletion flag T305 enables detecting whether therecord is still valid or invalid. That is, the deletion flag T305 is anitem to be used for so-called “undeleting”. As described above, in thepresent embodiment, in nullifying a record, the record is not deletedfrom the actual table. However, a specific record can be deleted.

The contents described in the above-described items can be mutuallycombined under a condition conforming to an operation policy, such aswhether an authority can be transferred to a plurality of principals atthe same time or on the contrary, whether authorities can be transferredfrom a plurality of principals. The combined contents can be uniquelyrestricted.

That is, it is useful to combine the authority transfer source principalID T301 and the processing ID T302, or to combine the processing ID T302and the authority transfer destination principal ID T303, under acondition conforming to the operation policy. Furthermore, it is usefulto perform a setting as to whether an authority of an authority transfersource principal can be nullified in transferring the authority, under acondition conforming to the operation policy.

The table F310 will now be described. A processing ID F311 is an itemstoring an identifier with which a content of processing performed bythe image forming apparatus 130 can be uniquely identified. In thepresent embodiment, the processing ID F311 is assumed to function as aprimary key of the table F310.

As illustrated in FIG. 3, the processing ID F311 is defined withreference to the processing ID T302 in the table T300. Thus, theintegrity between the table T300 and the table F310 can be maintained.

In generating a processing ID, a non-overlapping sequence numberprovided by the DBMS can be utilized. Alternatively, a processing ID canbe generated, for example, by an operation of the CPU 201 according to aprogram previously stored in the ROM 202 or the HDD 210.

A function F312 is an item storing a value with which a functionprovided by the image forming apparatus 130 can be identified.

In the present embodiment, a function identifier is represented with acharacter string. However, a function identifier can be represented witha numerical value or a symbol indicating the value. In the presentembodiment, function names such as “COPY”, “FAX”, and “SEND” are used.

A device ID F313 is an item storing an identifier with which the imageforming apparatus 130 can be uniquely identified. The device ID F313indicates, for example, a model number individually assigned to theimage forming apparatus 130.

Furthermore, information for uniquely identifying the image formingapparatus 130 on the communication path 140, namely, an Internetprotocol (IP) address or a media access control (MAC) address, can beused as the device ID F313.

The image forming apparatus 130 includes a storage area (namely, a“BOX”) that can store image data. A plurality of BOXes is provided in astorage area (the external memory 911) of the image forming apparatus130. Each of the BOXes is identified with a unique ID within the imageforming apparatus 130 and a related system.

A BOX ID F314 in the table F310 is an item storing a unique ID withwhich the BOX can be uniquely identified. The BOX ID F314 is assumed tobe used in combination with the device ID F313 to uniquely identify astorage area of an arbitrary image processing apparatus 130. A pluralityof data can be stored in one BOX.

A data ID F315 is an item storing an identifier with which image datastored in a storage area indicated by the device ID F313 and the BOX IDF314 can be uniquely identified.

As a user enters a specific value in each of the function F312, thedevice ID F313, the BOX ID F314, and the data ID F315, the scope ofapplying an authority transfer narrows. When a user enters an indefinitevalue, such as a null value, for example, in each of the function F312,the device ID F313, the BOX ID F314, and the data ID F315 in a reverseorder, the scope of applying an authority transfer increases.

For example, when an ID is entered in each of the device ID F313 and theBOX ID F314 and a null value is entered in the data ID F315, anauthority transfer applies to all image data stored in each of the BOXesidentified with the BOX ID 314. Each of the identifiers (values) storedin and managed by the table F310 is a value effective in each of theapparatuses and devices in the information processing system illustratedin FIG. 1.

FIG. 4 and FIG. 5 each illustrate an exemplary flow of processing formanaging association information for an authority of a principal. FIG. 4is a flow chart illustrating processing for generating the associationinformation requested from a user. FIG. 5 is a flow chart illustratingprocessing for inquiring, updating, and deleting the associationinformation. The processing illustrated in each of FIG. 4 and FIG. 5 isperformed by the CPU 201 according to a program previously stored on theROM 202 or the HDD 210 of the mapping information management apparatus100.

The association information is generated by an authority transfer sourceprincipal according to the processing illustrated in FIG. 4.

Referring to FIG. 4, in step S401, the CPU 201 displays a user interfaceprompting a user to enter data in each data item constituting theassociation information illustrated in FIG. 3. The processing in stepS401 is performed with the user interface display unit 104 illustratedin FIG. 1.

An output of the processing in step S401 can be displayed on the display208 (FIG. 2) by the display controller 207 (FIG. 2). Alternatively, theoutput can be transmitted to the information processing terminal 110,for example, via the communication unit 105 (FIG. 1).

In step S402, the association information updating unit 101 illustratedin FIG. 1 acquires the association information entered by the user viathe user interface display unit 104. In step S403, the CPU 201 storesthe entered association information in the association informationstorage unit 103.

In step S404, the association information updating unit 101 estimates anend status related to the storage of the association information in theassociation information storage unit 103. In addition, in step S404, theassociation information updating unit 101 determines whether the newlygenerated association information is appropriate.

More specifically, the association information updating unit 101determines whether the content of each of the function F312, the BOX IDF314, and the data ID F315 can be processed with an authority of theauthority transfer source principal.

If, as a result of the determination in step S404, it is determined thatthe content of each of the function F312, the BOX ID F314, and the dataID F315 can be processed with an authority of the authority transfersource principal, then the association information updating unit 101determines that the association information is appropriate.

On the other hand, if, as a result of the determination in step S404, itis determined that the content of each of the function F312, the BOX IDF314, and the data ID F315 cannot be processed with an authority of theauthority transfer source principal, then the association informationupdating unit 101 determines that the association information is notappropriate. Thus, the transfer of an authority for the processing thatthe authority transfer source principal is not authorized to perform canbe prevented.

If the processing is determined to be normally completed, that is, if itis determined in step S404 that the association information isappropriate, (YES in step S404), then the CPU 201 advances to step S405.In step S405, the association information updating unit 101 sends anotification to a principal identified with the authority transferdestination principal ID T303 (FIG. 3) via the communication unit 105,as illustrated in an example in FIG. 7. In the present embodiment, thenotification is sent via e-mail. The notification method is not limitedto e-mail, and any other notification method that would enable practiceof the present invention is applicable.

In this case, at the time the association information is entered,information about a notification destination is entered by the userentering the association information.

In step S406, the user interface display unit 104 displays a processingend status on the user interface. Then, the CPU 201 ends the processing.

Processing for inquiring, updating, and deleting the associationinformation, performed by the mapping information management apparatus100 according to a request from a principal, is performed as illustratedin FIG. 5.

The flow of processing illustrated in FIG. 5 mainly includes threeprocessing operations, namely, inquiry for the association information,correction of the association information, and deletion of theassociation information. In this regard, in performing the correctionprocessing and the deletion processing, it is necessary to previouslyidentify (inquire) the association information to be corrected ordeleted.

The inquiry processing will be described first, and then the correctionprocessing and the deletion processing will be described.

Referring to FIG. 5, in the processing for inquiring the associationinformation, in step S501, the CPU 201 displays a user interface forprompting the user to enter a value that is a condition for theassociation information to be inquired. More specifically, the CPU 201prompts the user to enter the authority transfer source principal IDT301 and/or the authority transfer destination principal ID T303. In theprocessing in step S501, a displaying method similar to that used instep S401 in the flow chart of FIG. 4 can be used.

In step S502, the association information inquiry unit 102 illustratedin FIG. 1 acquires the value that is the condition for the inquiry ofthe association information entered via the user interface display unit104. In step S503, the association information inquiry unit 102 inquiresthe association information stored in the association informationstorage unit 103. In step S504, the user interface display unit 104displays the inquired association information by a method similar tothat in step S501.

Now, the processing for correcting and deleting the associationinformation will be described.

In step S505, the user interface display unit 104 generates an inquiryas to whether the information identified in the above-describedassociation information inquiry processing is to be updated. If it isdetermined in step S505 that the identified association information isto be updated (YES in step S505), then the CPU 201 advances to stepS511. In step S511, the CPU 201 inquires whether the updating processingis to be performed by correcting the association information or bydeleting the association information.

With respect to the above-described branching processing (step S505 andstep S511), the user can generate an instruction for branching theprocessing in step S504. Alternatively, another user interface can bedisplayed to allow the user to generate an instruction for branching theprocessing. If the user generates an instruction for deleting theassociation information in the branching processing in step S511, thatis, if it is determined that the association information is to bedeleted, (YES in step S511), then the CPU 201 advances to step S521. Instep S521, the CPU 201 deletes the association information with theassociation information updating unit 101.

On the other hand, if the user does not generate an instruction fordeleting the association information, that is, if it is determined thatthe user generates an instruction for correcting the associationinformation, (NO in step S511), then the CPU 201 advances to step S512.In step S512, the CPU 201 stores the association information acquired inthe above-described inquiry processing in the field in which theassociation information can be corrected and displays the associationinformation via the user interface display unit 104.

In step S513, the association information updating unit 101 acquires theassociation information corrected via the user interface display unit104. In step S514, the CPU 201 corrects the association information withthe association information storage unit 103 according to the correcteddata.

In step S515, the CPU 201, with respect to the deletion processing instep S521 and the correction processing in step S514, estimates an endstatus related to updating in the association information storage unit103. If it is determined in step S515 that the processing is normallycompleted (YES in step S515), then the CPU 201 advances to step S516. Instep S516, the CPU 201 performs processing similar to the processing fornotifying the principal in step S405 illustrated in FIG. 4.

The processing in step S515 is similar to the processing in step S404illustrated in the flow chart of FIG. 4. That is, in step S515, the CPU201 determines whether the updated association information isappropriate. In step S517, the user interface display unit 104 displaysa processing end status on the user interface. Then, the CPU 201 endsthe inquiry processing and the updating processing.

An example of substitute print processing performed by the image formingapparatus 130 responsive to an authority transfer will now be described.

FIG. 6 illustrates an exemplary sequence for substitute processingperformed by the user B for the user A.

In the example illustrated in FIG. 6, the user A stores a document in aBOX in the image forming apparatus 130. Then, the user A transfers anauthority to the user B.

Referring to FIG. 6, a terminal A (A601) and a terminal B (A602) areinformation processing terminals 110 used by the user A and the user B,respectively. Both user A and user B are users of the system. The accessright information management apparatus 120 (FIG. 1) manages the accessrights of the users A and B with respect to the image forming apparatus130.

An access right information management apparatus A 603 corresponds tothe access right information management apparatus 120 illustrated inFIG. 1. In the present embodiment, the access right informationmanagement apparatus A 603 not only manages access right information forthe principal, but also an access control ticket (ACT), whichcorresponds to the control information illustrated in FIG. 10.

A mapping information management apparatus A604 corresponds to themapping information management apparatus 100 illustrated in FIG. 1. Themapping information management apparatus A604 manages associationinformation for an authority transfer source principal ID and anauthority transfer source principal ID with respect to the processingperformed by the image forming apparatus 130 using the table illustratedin FIG. 3.

An image forming apparatus A605 corresponds to the image formingapparatus 130 illustrated in FIG. 1. The image forming apparatus A605interprets the ACT acquired from the access right information managementapparatus A603 according to a request for performing processing from aprincipal and provides a function within a range described in theacquired ACT to the principal. A BOX A606 is a storage area that canstore image data managed for each image forming apparatus.

The sequence illustrated in FIG. 6 will be described below.

In step S611, the user A requests the user B to perform substituteprinting. After the user B has approved performing the substituteprinting, the user A stores a document to be printed into the BOX A606managed by the image forming apparatus A605.

As described above, the substitute processing performed with the imageforming apparatus A605 is controlled with an ACT generated by the accessright information management apparatus A603. Accordingly, in step S612,the terminal A (A601) requests the access right information managementapparatus A603 to generate an ACT for the image forming apparatus A605.

In step S613, the access right information management apparatus A603generates an ACT to the terminal A (A601) in response to the requestfrom the terminal A (A601).

The access right information management apparatus A603, at the time ofgenerating an ACT, generates a request for inquiring the associationinformation for the user A to the mapping information managementapparatus A604. In the present embodiment, it is assumed that noassociation information is stored related to the processing.Accordingly, the inquiry processing as to the association informationfor the user A is not illustrated in FIG. 6.

The processing related to the association information such as theinquiry processing will be described below.

In step S614, the terminal A (A601) sends the ACT received from theaccess right information management apparatus A603 to the image formingapparatus A605 and requests storage of the document to be printed (printdocument) in the BOX A606.

In step S615, the image forming apparatus A605 checks whether the user Ahas an appropriate authority according to the ACT sent from the terminalA (A601). In step S616, the image forming apparatus A605 stores theprint document in the BOX A606. In step S617, the image formingapparatus A605 sends a reply to the request. Here, the image formingapparatus A605 sends a processing ID, a function ID, a device ID, a BOXID, and a data ID in response to the request.

Then, the user A performs a setting for transferring an authority toprint the document to the user B. Here, the user A performs processingsimilar to the processing illustrated in FIG. 4.

The user A enters an the authority transfer source principal ID, aprocessing ID, an authority transfer destination principal ID, anexpiration date, information indicating the presence or absence of adeletion flag, a function ID, a device ID, a BOX ID, and a data ID,which are entered via the terminal A (A601).

The information notified from the image forming apparatus A605 in stepS617 is used as the processing ID, the function ID, the device ID, theBOX ID, and the data ID.

Then, in step S618, the user A sends the entered information from theinformation processing terminal 110 (A601) to the mapping informationmanagement apparatus A604.

With respect to the setting by the user, the user A can enter thesetting via the user interface displayed by the user interface displayunit 104 of the mapping information management apparatus A604.

Thus, in the mapping information management apparatus A604, theassociation information is set in the table illustrated in FIG. 3. Thecontent of the setting performed with the mapping information managementapparatus A604 is sent, via e-mail for example, to the terminal B(A602).

Then, substitute print processing by the user B using the transferredauthority is subsequently performed. The user B operates the terminal B(A602). In step S619, the terminal B (A602) requests the access rightinformation management apparatus A603 to generate an ACT for the user Bconcerning the image forming apparatus A605.

In step S620, the access right information management apparatus A603inquires the mapping information management apparatus A604 about theassociation information for the user B for the processing by the imageforming apparatus A605, according to the request from the terminal B(A602).

Then, the mapping information management apparatus A604 refers to thetable T300 and the table F310 illustrated in FIG. 3 to search for theassociation information matching the information that the access rightinformation management apparatus A603 has received from the terminal B(A602).

As a result, the association information set in step S618 is searched.In step S621, the mapping information management apparatus A604 sendsthe search result to the access right information management apparatusA603 as a reply to the request.

The access right information management apparatus A603, after receivingthe association information from the mapping information managementapparatus A604, acquires only a processing content described in thereceived association information of the access right informationconcerning the user B.

In step S622, the access right information management apparatus A603applies, to the acquired access right information, the access rightinformation for the principal (here, the user A) described in theauthority transfer source principal ID T301 in FIG. 3 to generate an ACTto the terminal B (A602).

The ACT thus generated has a content reflecting restriction to use theimage forming apparatus A605, which is defined by the associationinformation. The use restriction defined by the association informationincludes the expiration date in the association information, forexample.

If, at this time, no principal information for the user B exists undermanagement by the access right information management apparatus A603,the access right information management apparatus A603 can nullify theACT generation processing itself and send error code. Alternatively, theaccess right information management apparatus A603 can generate an ACTaccording only to the access right information for the user B.

In step S623, the terminal B (A602), after having received the ACT fromthe access right information management apparatus A603, sends the ACT tothe image forming apparatus A605 to request processing for printing thedocument.

In step S624, the image forming apparatus A605 checks whether the user Bhas an authority to perform the requested operation according to theACT, as in the processing in step S615. In steps S625 and S626, theimage forming apparatus A605 prints the document data stored in the BOXA606.

At this time, the image forming apparatus A605 prints the documentaccording to the content of the ACT reflecting the associationinformation.

For example, if updating processing for nullifying the associationinformation has been performed due to lapse of the expiration date inthe association information (i.e., when the deletion flag T305 is set to“TRUE”), the content inhibiting the use of the image forming apparatusA605 is reflected to the ACT. In this case, the image forming apparatusA605 receives the ACT but does not perform printing.

After having performed the requested processing, in step S627, the imageforming apparatus A605 notifies the access right information managementapparatus A603 that the requested processing has been completed andsends arbitrary information as necessary. The information sent can bethe information to be updated (overwritten) by the processing with thedata managed by the access right information management apparatus A603,such as information about the number of paper sheets output by theprinting.

In step S628, after receiving the notification of completion of theprocessing from the image forming apparatus A605, the access rightinformation management apparatus A603 also notifies the completion ofthe processing to the mapping information management apparatus A604. Instep S629, after receiving the notification of completion of theprocessing, the mapping information management apparatus A604 notifiesthe terminal A (A601) that the processing performed according to thetransferred authority has been normally completed.

With respect to the above-described processing performed in steps S628and S629, an item indicating information about the number of times ofauthorized print operations can be provided in the table T300illustrated in FIG. 3. That is, the configuration of the presentembodiment can be arranged such that the number of times of authorizedoperations for printing the data indicated in the table T300 isdecremented by one at the time of performing the processing in stepS628. When the number of times of authorized print operations isdecremented to zero, the deletion flag T305 is updated to “TRUE”.

For example, when the number of times of authorized print operations isset to “1”, the authority transfer destination principal can no longerperform the once-performed processing.

By setting an upper limit value for the number of times of authorizedprocessing operations, an authority transfer destination principalcannot freely perform the transferred processing a desired number oftimes. Thus, the security in the case where an authority is transferredcan be improved.

In addition, by adding to the table an item indicating an e-mail addressof the user transferring his authority, flexible implementation can berealized such that when the processing is completed or when the deletionflag T305 is updated, an e-mail indicating so is sent to the set e-mailaddress.

In the example illustrated in FIG. 6, the terminal B (A602) generates arequest for printing a document stored in the BOX A606. Alternatively,the image forming apparatus A605 can generate a request for printing adocument stored in the BOX A606 according to an operation on the imageforming apparatus A605 by the user B.

In this case, in step S619, the image forming apparatus A605 sends therequest to the access right information management apparatus A603.

Furthermore, in step S622, the access right information managementapparatus A603 sends an ACT to the image forming apparatus A605.

Moreover, in step S623, the user B operates the image forming apparatusA605 to generate an instruction for printing the document stored in theBOX A606.

FIG. 8 illustrates a memory map of a CD-ROM, which is an example of astorage medium according to the present embodiment.

Referring to FIG. 8, in a storage area 9999, directory information isstored. The directory information stored in the storage area 9999indicates information about positions of subsequent storage areas 9998and 9997.

In the storage area 9998, an installation program is stored. In thestorage area 9997, a program for managing association information forthe information processing apparatus 200 is stored.

In installing on the information processing apparatus 200 theassociation information management program for the informationprocessing apparatus 200, first, the installation program stored in thestorage area 9998 is loaded on the ROM 202 or the HDD 210 of the systemto be executed by the CPU 201.

Then, the installation program executed by the CPU 201 reads theassociation information management program for the informationprocessing apparatus 200 from the storage area 9997 to overwrite thedata stored on the ROM 202 with the read program or to install the readprogram on the HDD 210. In this case, it is required that the ROM 202 isa rewritable ROM, such as a Flash ROM, not a simple mask ROM.

As described above, according to the present embodiment, the associationinformation to be reflected to an ACT can be appropriately updated asnecessary. Thus, restriction on using an image forming apparatus withrespect to an already-generated job can be changed at an arbitrarytiming.

For example, as descried above, by properly setting the range ofrestriction on the processing performed with the image forming apparatusor by appropriately inhibiting the use of the image forming apparatus,an access to data from an authority transfer destination principal,which is not desired or allowed by an administrator of the system andcould cause distribution of the data, can be prevented.

As described above, in the present embodiment, granularity designatedfor processing information, i.e., range of restriction on performingprocessing, in association information can be changed. Furthermore,information indicating an expiration date in the association informationor information indicating the number of times of authorized processingoperations (applications) is added to the association information.

Accordingly, the degree of freedom of utilizing an authority transferredto an authority transfer destination principal can be either increasedor decreased. By controlling the utilization of a transferred authority,the risk of improper or falsified utilization of an authority can bereduced.

In addition, the management and control of the authority is performednot beyond a control boundary set according to centrally-managedprincipal authorities.

Accordingly, even in the case of a change in or nullification of thetransferred authority, for example due to a change in office of orretirement of the principal who has transferred his authority, thetransferred authority can be managed and controlled while reflecting thecontent of the change or nullification at an appropriate timing.

Moreover, with respect to a destination of adding an amount of use, suchas charging information, a restriction of use can be applied by addinginformation related to the amount of use to the association information,which implements more flexible control.

Moreover, the present invention can be applied to a system or anintegrated apparatus including a plurality of devices, for example, acomputer, an interface device, and a reader, and to an apparatus thatincludes a single device.

Furthermore, the present invention can also be achieved by providing asystem or a device with a storage medium (or a recording medium) whichstores program code of software implementing the functions of theexemplary embodiments and by reading and executing the program codestored in the storage medium with a computer of the system or the device(a CPU or an MPU).

In this case, the program code itself, which is read from the storagemedium, implements the functions of the exemplary embodiments describedabove, and accordingly, the storage medium storing the program codeconstitutes the present invention.

As the storage medium for supplying such program code, a floppy disk, ahard disk, an optical disk, a magneto-optical disk (MO), a CD-ROM, aCD-recordable (CD-R), a magnetic tape, a nonvolatile memory card, and aROM, for example, can be used.

In addition, the functions according to the embodiments described abovecan be implemented not only by executing the program code read by thecomputer, but also implemented by the processing in which an operatingsystem (OS) or the like carries out a part of or the whole of the actualprocessing based on an instruction given by the program code.

Further, in another aspect of the embodiment of the present invention,after the program code read from the storage medium is written in amemory provided in a function expansion board inserted in a computer ora function expansion unit connected to the computer, a CPU and the likeprovided in the function expansion board or the function expansion unitcarries out a part of or the whole of the processing to implement thefunctions of the embodiments described above.

While the present invention has been described with reference toexemplary embodiments, it is to be understood that the invention is notlimited to the disclosed exemplary embodiments. The scope of thefollowing claims is to be accorded the broadest interpretation so as toencompass all modifications, equivalent structures, and functions.

This application claims priority from Japanese Patent Applications No.2006-206981 filed Jul. 28, 2006 and No. 2007-133406 filed May 18, 2007,which are hereby incorporated by reference herein in their entirety.

1. An authority management apparatus configured to communicate with anexternal apparatus having one or more functions, the authoritymanagement apparatus comprising: a management unit configured to manageauthority information indicating an authority concerning use of the oneor more functions of the external apparatus with respect to a particularuser; an updating unit configured to, based on permission informationfor permitting a second user different from a first user to use afunction of the external apparatus that the first user can execute,update the authority information concerning the second user; and asending unit configured to send the authority information updated by theupdating unit to the external apparatus to be used by the second user.2. The authority management apparatus according to claim 1, wherein theupdating unit is configured to update the authority informationconcerning the second user according to the permission information basedon receiving, from an external source, information indicating a requestfor permitting the second user to use the external apparatus.
 3. Theauthority management apparatus according to claim 1, wherein theauthority management apparatus communicates with a permissioninformation management apparatus that provides the permissioninformation to the authority management apparatus, and wherein theupdating unit is configured to update the authority informationconcerning the second user based on the permission information receivedfrom the permission information management apparatus.
 4. The authoritymanagement apparatus according to claim 1, further comprising apermission information management unit configured to manage thepermission information.
 5. The authority management apparatus accordingto claim 1, wherein the permission information includes information foridentifying the first user, information for identifying the second user,and information about a function of the external apparatus permitted tobe used by the second user.
 6. The authority management apparatusaccording to claim 5, wherein the permission information furtherincludes information indicating a specific storage area in a storagedevice of the external apparatus and/or specific data stored in thestorage device, the information being used along with the function ofthe external apparatus permitted to be used by the second user.
 7. Theauthority management apparatus according to claim 1, wherein thepermission information includes information indicating an expirationdate of permission for the second user to use a function of the externalapparatus executable by the first user.
 8. The authority managementapparatus according to claim 1, wherein the permission informationincludes information indicating a number of permitted times the seconduser can use a function of the external apparatus executable by thefirst user.
 9. An authority management system comprising: an authoritymanagement apparatus; and an external apparatus, wherein the authoritymanagement apparatus comprises: a management unit configured to manageauthority information indicating an authority concerning use of one ormore functions of an external apparatus with respect to a particularuser, an updating unit configured to, based on permission informationfor permitting a second user different from a first user to use afunction of the external apparatus that the first user can execute,update the authority information concerning the second user, and asending unit configured to send the authority information updated by theupdating unit to the external apparatus to be used by the second user,wherein the external apparatus comprises: an image forming apparatus,wherein the function of the external apparatus includes at least one ofa copy function, print function, image sending function, or imagestorage function, wherein the external apparatus is configured torestrict use of the external apparatus by the second user based on theupdated authority information sent by the sending unit.
 10. A method inan authority management apparatus configured to communicate with anexternal apparatus having one or more functions, the method comprising:managing authority information indicating an authority concerning use ofthe one or more functions of the external apparatus with respect to aparticular user; permitting, based on permission information, a seconduser different from a first user to use a function of the externalapparatus that the first user can execute, updating the authorityinformation concerning the second user; and sending the updatedauthority information to the external apparatus to be used by the seconduser.
 11. A computer-readable storage medium storing computer-executableprocess steps, the computer-executable process steps causing a computerto execute the method of claim 10.